Skip to content

Commit f81c2c4

Browse files
authored
Merge branch 'main' into migmartri/stale-token-revoke
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
2 parents 6711d81 + 46f1bbf commit f81c2c4

40 files changed

Lines changed: 600 additions & 116 deletions

.chainloop.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# This indicates the [current version]+next
22
# to indicate that we are building a new version of the project
3-
projectVersion: v1.75.0+next
3+
projectVersion: v1.76.0+next
44

55
# Experimental feature used by Chainloop labs shared workflow https://github.com/chainloop-dev/labs
66
# It maps the material names with location in disk so they get automatically attested

.github/workflows/codeql.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,9 +49,9 @@ jobs:
4949
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5050

5151
- name: Set up Go
52-
uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
52+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
5353
with:
54-
go-version: "1.25.6"
54+
go-version-file: 'go.mod'
5555

5656
# Initializes the CodeQL tools for scanning.
5757
- name: Initialize CodeQL

.github/workflows/contracts/chainloop-vault-codeql.yml renamed to .github/workflows/contracts/chainloop-vault-codeql.yaml

File renamed without changes.

.github/workflows/contracts/chainloop-vault-helm-package.yml renamed to .github/workflows/contracts/chainloop-vault-helm-package.yaml

File renamed without changes.

.github/workflows/contracts/chainloop-vault-release.yml renamed to .github/workflows/contracts/chainloop-vault-release.yaml

File renamed without changes.

.github/workflows/contracts/chainloop-vault-scorecards.yml renamed to .github/workflows/contracts/chainloop-vault-scorecards.yaml

File renamed without changes.

.github/workflows/lint.yml

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -24,25 +24,26 @@ jobs:
2424
- artifact-cas
2525
runs-on: ubuntu-latest
2626
steps:
27-
- uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
28-
with:
29-
go-version: "1.25.6"
30-
3127
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
3228

29+
- name: Set up Go
30+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
31+
with:
32+
go-version-file: 'go.mod'
33+
3334
- name: Lint main module
34-
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # 7.0.0
35+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
3536
if: ${{ matrix.app == 'main-module' }}
3637
with:
37-
version: v2.4.0
38+
version: v2.9.0
3839
only-new-issues: 'true'
3940

4041
- name: Lint ${{ matrix.app }}
41-
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # 7.0.0
42+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
4243
if: ${{ matrix.app != 'main-module' }}
4344
with:
4445
working-directory: app/${{ matrix.app }}
45-
version: v2.4.0
46+
version: v2.9.0
4647
only-new-issues: 'true'
4748

4849
lint-protos:
@@ -65,19 +66,20 @@ jobs:
6566
cd ~/.local
6667
curl -L https://dl.dagger.io/dagger/install.sh | DAGGER_VERSION=0.19.3 sh
6768
68-
- uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
69-
with:
70-
go-version: "1.25.6"
71-
7269
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
7370

71+
- name: Set up Go
72+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
73+
with:
74+
go-version-file: 'go.mod'
75+
7476
- name: Initialize module
7577
run: |
7678
make -C extras/dagger module-init
7779
7880
- name: Lint
79-
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # 7.0.0
81+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
8082
with:
8183
working-directory: extras/dagger
82-
version: v2.4.0
84+
version: v2.9.0
8385
only-new-issues: 'true'

.github/workflows/release.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,9 @@ jobs:
7979
password: ${{ secrets.GITHUB_TOKEN }}
8080

8181
- name: Set up Go
82-
uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
82+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
8383
with:
84-
go-version: "1.25.6"
84+
go-version-file: 'go.mod'
8585

8686
# install qemu binaries for multiarch builds (needed by goreleaser/buildx)
8787
- name: Setup qemu
Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
name: Daily Secrets Detection
2+
3+
on:
4+
schedule:
5+
# Run daily at 9:00 AM UTC
6+
- cron: '0 9 * * *'
7+
workflow_dispatch: # Allow manual triggering
8+
9+
permissions:
10+
contents: read
11+
id-token: write # Required for SLSA attestation
12+
13+
jobs:
14+
onboard_workflow:
15+
name: Onboard Chainloop Workflow
16+
uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11
17+
with:
18+
project: "chainloop"
19+
workflow_name: "daily-secrets-detection"
20+
secrets:
21+
api_token: ${{ secrets.CHAINLOOP_TOKEN }}
22+
23+
daily-secrets-scan:
24+
name: Daily Secrets Scan
25+
needs: onboard_workflow
26+
runs-on: ubuntu-latest
27+
env:
28+
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
29+
CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
30+
CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }}
31+
32+
steps:
33+
- uses: actions/checkout@v4
34+
35+
- name: Install Chainloop
36+
run: |
37+
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee
38+
39+
- name: Initialize Attestation
40+
run: |
41+
chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME}
42+
43+
- name: Install Gitleaks
44+
run: |
45+
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
46+
mkdir -p /tmp/gitleaks-install
47+
tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install
48+
sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/
49+
rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz
50+
gitleaks version
51+
52+
- name: Run Gitleaks Scan
53+
run: |
54+
gitleaks dir . \
55+
--report-format json \
56+
--report-path gitleaks-report.json \
57+
--config .github/workflows/utils/.gitleaks.toml \
58+
|| true
59+
60+
- name: Add Gitleaks Report to Attestation
61+
run: |
62+
chainloop attestation add \
63+
--name gitleaks-scan \
64+
--value gitleaks-report.json \
65+
--kind GITLEAKS_JSON
66+
67+
- name: Finish and Push Attestation
68+
if: ${{ success() }}
69+
run: |
70+
chainloop attestation push
71+
72+
- name: Mark attestation as failed
73+
if: ${{ failure() }}
74+
run: |
75+
chainloop attestation reset
76+
77+
- name: Mark attestation as cancelled
78+
if: ${{ cancelled() }}
79+
run: |
80+
chainloop attestation reset --trigger cancellation
Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,9 @@
1-
# This workflow uses actions that are not certified by GitHub. They are provided
2-
# by a third-party and are governed by separate terms of service, privacy
3-
# policy, and support documentation.
4-
51
name: Sync Chainloop Workflow contracts
62
on:
73
push:
8-
branches: [ "main" ]
4+
branches: ["main"]
95
paths:
10-
- '.github/workflows/contracts/**'
6+
- ".github/workflows/contracts/**"
117
schedule:
128
- cron: "0 0 * * *" # daily at midnight
139

@@ -16,7 +12,18 @@ permissions: read-all
1612

1713
jobs:
1814
chainloop_contract_sync:
19-
name: Chainloop Contract Sync
20-
uses: chainloop-dev/labs/.github/workflows/chainloop_contract_sync.yml@5344787a72876bd22e199b94c09a86532521b4b3
21-
secrets:
22-
api_token: ${{ secrets.CHAINLOOP_TOKEN }}
15+
name: "Chainloop Contract Sync"
16+
runs-on: ubuntu-latest
17+
env:
18+
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
19+
steps:
20+
- name: Checkout repository
21+
uses: actions/checkout@v4
22+
- name: Install Chainloop
23+
run: |
24+
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
25+
- name: Update contract definitions
26+
run: |
27+
for file in .github/workflows/contracts/*.yaml; do
28+
chainloop wf contract apply -f $file
29+
done

0 commit comments

Comments
 (0)